Executive Overview: Today’s data center is largely virtualized from a compute perspective, and has unleashed unprecedented benefits of agility, efficiency and capex/opex savings. What is less known is that virtual network access ports have exceeded physical network access ports in number, and this trend is accelerating. In fact, today, 40% of vAdmins manage virtual networks. Beyond virtual switching, the time is ripe to virtualize the rest of the networking stack, and accelerate our customer’s journey to the software-defined data center.
The VMware NSX platform delivers the entire networking and security model in software, decoupled from traditional networking hardware, representing a transformative leap forward in data center networking architecture.
Challenges: Businesses need to be more agile and resource-efficient, in order to remain competitive in a rapidly evolving global market. Meanwhile, IT organizations have hit limits of scale, complexity, and operations.
Current data centers are an agglomeration of several generations of networking and security products. Today’s data center networking team faces significant challenges:
Solution requirements: Businesses need to deploy applications with greater speed, efficiency, and security. Our mission was to overcome this challenge, and deliver secure network services to applications running in the data center, that meet the following criteria…
… under the following conditions:
Introducing VMware NSX
Today, we are announcing the VMware NSX platform and products to deliver on the above mission, unleashing the power of network virtualization. The team has re-created the network and security model in software, taking advantage of the benefits of virtualization. This realizes a significant leap forward in capability across the stack, and includes several industry firsts. Before delving into the product itself, here are the key highlights:
Logical switching & routing: Routing functions have been integrated with switching in the hypervisor, enabling direct one-hop connectivity for east-west traffic in the data center, and decoupled from the underlying network fabric using overlays. Also included are optimizations to decouple multicast, unknown unicast and ARP broadcasts from the network. Net effect is efficient, fast packet delivery in the logical plane, and minimizing control traffic in the physical fabric.
Bridging to physical: A logical view of virtual and physical devices is presented, leveraging integration between the NSX Controller and agents in Arista, Brocade, Cumulus, Dell, HP and Juniper network devices. Also included are translational bridging between logical overlays and VLANs to enable seamless interconnection of physical and virtual without re-addressing.
Distributed Firewall: Stateful firewall capability is built into the hypervisor, delivering distributed, scale-out, high-performance firewall inspection at each virtual switch port, while tracking VM adds, moves and changes. Firewall management is dramatically simplified by enabling rules, audits and monitoring based on virtual infrastructure containers, applications, AD users/identity, and yet richer, using network virtualization and VM introspection. The distributed firewall capability also enables stateful, logical insertion of partner devices/agents e.g. F5, McAfee, Palo Alto Networks, Symantec and Trend.
Logical Edge Services: The NSX Edge Services router provides the critical network services required to on-ramp/off-ramp traffic to/from the data center, including perimeter routing (BGP, OSPF, IS-IS), firewalls, user & site VPNs, elastic load balancers and DNS/DHCP/IP services. We also take advantage of virtualization to provide flexible placement, N+1 redundancy, runtime load balancing, and per-tenant resource management. These logical, scale-out services are programmatically deployed on a per-tenant or app basis, solving the choke point and provisioning issues commonly seen in current architectures.
VMware NSX – The Platform for Network Virtualization
For the first time, switching, bridging, routing and firewall capability are built into the hypervisor, and realized in an integrated, distributed fashion at each virtual switch port. This delivers unprecedented granularity of visibility, security and control. The scale out, integrated architecture combined with eliminating traffic hair-pinning, results in aggregate performance above 1 Tbps! NSX Controller clusters and the NSX Management layer abstract, logically centralize, pool and automate these functions, to enable real-time consumption by cloud management platforms and applications.
Overlays are used to decouple logical network services from the underlying network infrastructure. In addition, the VMware NSX platform leverages the broad adoption of VXLAN in commercial switching silicon to provide logical views of workloads and services attached to existing VLANs. We expect to continue to leverage partnerships with network vendors to create smart overlays that take advantage of additional capabilities in the network.
VMware NSX Architecture and Design
As depicted in the diagram below, the VMware NSX solution resides in the virtualization layer, providing L2-L7 network services to the cloud consumption layer above, and mapping these services onto the physical infrastructure below. Independence between the cloud and virtualization layers is achieved by providing a REST API exposing the network services to any upstream provisioning platform. Likewise, vSwitch overlays such as VXLAN provide independence to deploy NSX on any physical IP network infrastructure.
This brings us to the network virtualization layer. For each capability, be it switching, routing or firewall, the services are provided via NSX APIs, and realized using a three-tiered design pattern encompassing the management plane, controlplane and data plane. The NSX Manager internally maps the APIs onto the control plane. The controller cluster is the work horse of the system, handling real time mapping between the system’s desired state and the running state, which it communicates to the control plane agent(s) present per hypervisor. The local information is now used to set up the appropriate switching, routing, or firewall tables and contexts. The appropriate data plane function now proceeds with high-performance, in a scale out fashion across the virtual plane.
VMware NSX – Delivering Network Services in the Software-Defined Data Center
Using the design pattern and architecture depicted above, we now have a unified network virtualization platform supporting several different stacks, including vSphere, vCloud Suites and OpenStack. It is now possible for application developers or cloud management platforms to leverage the power of network virtualization in real-time, to build n-tier apps on existing compute racks and network infrastructure. VMware NSX handles the underlying complexity, and solves key problems including VLAN/IP sprawl and manual provisioning, inflexible silos, security blind spots and end-of-row or perimeter choke points, while delivering high-performance network services.
Summary
The VMware NSX platform represents a major leap forward in the realization of the software-defined data center vision. VMware NSX network virtualization, leveraging advancement in x86 processors, server virtualization, distributed systems and cloud application development frameworks, is ushering in a new generation of networking in the data center.
There’s has been a tremendous amount of work and innovation going into VMware NSX. Thanks and kudos to the several teams that have worked tirelessly to bring the VMware NSX platform to market, including early design partners who have helped shape this product.
Network virtualization is a profound development – as we begin to exploit virtualization further, more traditions will be challenged. We strongly encourage you to get started on the network virtualization journey with VMware NSX today. There are several sessions and labs at VMworld to gain further understanding and insight into the benefits of NSX and network virtualization, and more importantly – how customers are using these capabilities.